Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature request] support GNU Ring, not Signal #320

Open
ghost opened this issue Aug 7, 2018 · 11 comments
Open

[feature request] support GNU Ring, not Signal #320

ghost opened this issue Aug 7, 2018 · 11 comments
Milestone

Comments

@ghost
Copy link

ghost commented Aug 7, 2018

GNU Ring Jami is the de facto non-controversial secure IM tool for tree-hugging hippy freedom lovers and has support on phones and desktops. The Android app is on f-droid.org. This is a conflict-free open community tool that should be supported.

Signal is apparently supported because of its popularity and/or Snowden's endorsement. But it's a poor choice for many reasons:

  • Signal forces Android users into the private walled-garden of Google Playstore just to obtain the APK blob, which is unavailable outside of that jail; consequently:
    ** excludes people who bought an Android w/out a PlayStore (tm) license
    ** excludes people who refuse to give their phone number to Google (to create the required acct)
    ** abuses user privacy through Google tracking (Google keeps track of apps you download and your IMEI number)
    ** denies source code (most likely... I've not done a thorough search though)
  • Signal's Debian release is unofficial. This is likely because it would not pass the quality scrutiny of Debian repository inclusion. It also means users have to do manual steps for the installation.
  • Signal's Debian installation is broken (404 error on the package URL). And the "debian" install instructions are actually for Ubuntu.
  • Signal's support page is CloudFlared, which:
    ** subjects people to a private walled-garden that blocks Tor users (a net neutrality abuse)
    ** and abuses the privacy of those who can use the page by sharing all traffic with CloudFlare Inc., whilst deceiving those users at the same time by showing them an SSL padlock (the tunnel actually terminates at CloudFlare's server not that of the webhost).

That's a lot of evil right there. I suggest:

  • giving a low priority to fixing any non-security-critical Signal bug reports (glad to see this seems to already be happening)
  • ditching Signal support when a security-critical Signal bug is discovered
  • giving a high priority to implementing a GNU Ring feature

(update) The above is obsolete. See https://github.com/privacytoolsIO/privacytools.io/issues/779 for current OWS Signal privacy abuses

@ghost ghost changed the title [feature request] GNU Ring support is more important than Signal support [feature request] support GNU Ring, not Signal Aug 7, 2018
@n8fr8 n8fr8 added this to the The Future! milestone Aug 20, 2018
@deviantollam
Copy link

is this still accurate? i thought Signal was available as a plain APK download now... https://signal.org/android/apk/

@deviantollam
Copy link

(can't speak to your other criticisms regarding Signal's support page being blocked by Tor, however)

@ghost
Copy link
Author

ghost commented Aug 30, 2018

Looks like users are being advised to use the Playstore, but not required. I think I saw the "Danger Zone" section before, but ignored it because nothing appeared below the "danger zone" label (due to noscript). Now I can see that the APK is available outside of Google's jail, so the first bullet along with it's sub-bullets is not strictly correct. It's still considerable though because they've deliberately made the APK hard to find and designed the website so most users will think they must use the PlayStore.
Note that the fingerprint did not match the APK when I checked it.

@ghost
Copy link
Author

ghost commented Feb 3, 2019

@ghost
Copy link
Author

ghost commented Mar 9, 2019

Signal is centralized in Amazon AWS, a privacy abuser. Even if Signal is secure enough that users need not trust Amazon, Amazon is still benefiting financially from Signal. At a minimum Amazon gets the IP addresses of Signal users and can then cross-reference that IP address with other tables. Haven users can possibly be de-anonymized if they use the Signal mechanism by comparing timings of onion traffic with AWS traffic (investigation needed).

@sahmes
Copy link

sahmes commented Mar 14, 2019

I'm also disappointed that the options are SMS or Signal. I'd very much like to see support for the Matrix protocol. In this case you can configure your own server if you like, need no phone number, and get notification on any device.
https://en.wikipedia.org/wiki/Matrix_(protocol)

@n8fr8
Copy link
Member

n8fr8 commented Mar 15, 2019

We will be adding Matrix support, as well as a pure Onion-to-Onion sync between multiple Haven apps.

@n8fr8
Copy link
Member

n8fr8 commented Mar 15, 2019

(Guardian Project has a secure matrix client project underway called Keanu: https://gitlab.com/keanuapp)

@ThatLurker
Copy link

Jami seems to use google firebase and also has a firebase tracker in the app https://reports.exodus-privacy.eu.org/en/reports/63024/
There has also been a lot of reports of messages being lost and bad audio/video quality (not sure if these are true anymore. I have not used jami in a while)

@Mikaela
Copy link

Mikaela commented Mar 22, 2019

They are at F-Droid so maybe they have a separate variant without those.

@n8fr8 n8fr8 mentioned this issue Mar 22, 2019
@ghost
Copy link
Author

ghost commented Mar 22, 2019

They are at F-Droid so maybe they have a separate variant without those.

I just tested the F-Droid version using exodus-standalone. The output:

=== Information
- APK path: cx.ring_144.apk
- APK sum: b7e8c2654ae7d788e62f699d053426c4f22cb84410bbce240fcc3934b31964bb
- App version: 20190103
- App version code: 144
- App UID: 28E35987AE316D25D5761E00267FF6F86525C708
- App name: Jami
- App package: cx.ring
- App permissions: 21
    - android.permission.INTERNET
    - android.permission.RECORD_AUDIO
    - android.permission.MODIFY_AUDIO_SETTINGS
    - android.permission.PROCESS_OUTGOING_CALLS
    - android.permission.CALL_PHONE
    - android.permission.RECEIVE_BOOT_COMPLETED
    - android.permission.ACCESS_WIFI_STATE
    - android.permission.ACCESS_NETWORK_STATE
    - android.permission.READ_CONTACTS
    - android.permission.READ_PROFILE
    - android.permission.BLUETOOTH
    - android.permission.VIBRATE
    - android.permission.READ_CALL_LOG
    - android.permission.WRITE_CALL_LOG
    - android.permission.WRITE_EXTERNAL_STORAGE
    - android.permission.READ_EXTERNAL_STORAGE
    - android.permission.WAKE_LOCK
    - android.permission.CAMERA
    - android.permission.CHANGE_WIFI_STATE
    - android.permission.READ_PHONE_STATE
    - android.permission.FOREGROUND_SERVICE
- App libraries:
- Certificates: 1
    - Issuer: countryName=UK, stateOrProvinceName=ORG, localityName=ORG, organizationName=fdroid.org, organizationalUnitName=FDroid, commonName=FDroid 
Subject: countryName=UK, stateOrProvinceName=ORG, localityName=ORG, organizationName=fdroid.org, organizationalUnitName=FDroid, commonName=FDroid 
Fingerprint: 3f47e291c57b7d55cb0d4e28ea792ce96a207c76 
Serial: 1402691044
=== Found trackers: 0

So there should perhaps be a warning advising users to favor the F-Droid version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants